Slashdot Mirror

← Back to Stories (view on slashdot.org)

MS SQL Server Worm Wreaking Havoc

Posted by ryuzaki0 on from the no-man-will-know-the-day-or-the-hour dept.

defile writes "Since about midnight EST almost every host on the internet has been receiving a 376 byte UDP payload on port ms-sql-m (1434) from a random infected server. Reports of some hosts receiving 10 per minute or more. internetpulse.net is reporting UUNet and Internap are being hit very hard. This is the cause of major connectivity problems being experienced worldwide. It is believed this worm leverages a vulnerability published in June 2002. Several core routers have taken to blocking port 1434 outright. If you run Microsoft SQL Server, make sure the public internet can't access it. If you manage a gateway, consider dropping UDP packets sent to port 1434." bani adds "This has effectively disabled 5 of the 13 root nameservers."

36 of 906 comments (clear)

  1. Who did this I wonder????? by amigaluvr · · Score: 4, Funny

    Kevin Mitnick is allowed back on the net and the net goes fubar

    1. Re:Who did this I wonder????? by Anonymous Coward · · Score: 5, Funny

      It was not Mitnick.

      I investigated into this matter, and came up with the following theory.

      Port 1434 = 1+4+3+4 = 12

      12 is the number of the month when Steve Gibson got hired as a consultant. Coincidence? I think not!

      SQL (alphabet numbered) = S(19) + Q(17) + L(12) = 48

      48 is the number of states which are connected together on US map. That means that attack came either from Hawaii or Alaska.

      Using the search on a popular site called Google, I was able to track down the perpetrator.

      So at the end we are left with one answer: Steve Gibson is just hax0ring back, in an elaborate revenge plan to outlaw port 1434 and raw sockets.

    2. Re:Who did this I wonder????? by TheTomcat · · Score: 3, Funny

      How do we get back??

      I know..

      HACK THE GIBSON

      erm..
      nevermind..

      S

    3. Re:Who did this I wonder????? by Anonymous Coward · · Score: 1, Funny

      Congratulations! You posted a funny non-troll comment to Slashdot.

      The last "funny" non-troll comment which was actually funny was made around 3 years ago I believe.

    4. Re:Who did this I wonder????? by FenderGeek · · Score: 2, Funny

      Aw man, now I went and spit Coke all over my keyboard! Hey wait... Gibson makes guitars. Guitars are played by musicians. Musicians with contracts work for a record company. Record companies are in league with the RIAA! The RIAA is doing this to keep me from my mp3s!!

      --
      One only needs two tools in life: WD-40 to make things go, and duck tape to make them stop. ~G.M. Weilacher
  2. Ok now tell me by vicviper · · Score: 4, Funny

    how many quries at the root level are unnecessary. :)

    1. Re:Ok now tell me by DarkZero · · Score: 4, Funny

      More today than yesterday.

  3. Re:Terrorism, must be by weave · · Score: 5, Funny

    Terrorism? Bill Gates better be detained indefinitely as an enemy combatent then. Finally, some good may come out of this terrorism paranoia!

  4. Been waiting for this by tigress · · Score: 3, Funny

    ...the Slashdot article, that is. I've been watching this since I got up this morning (about five hours ago, local time). There's been plenty of discussions about this on various mailinglists, including NANOG and NordNOG, as well as several IRC channels I frequent. I'm surprised it took this long for Slashdot to post anything about it.

    According to unconfirmed sources on NANOG, the worm seems to eat up bandwidth at line rate (even at GigE links), is rumored to amplify itself via Cisco routers, and is the creation of Saddam Hussein.

    My journal on the worm.

  5. Al-Qaeda by tigress · · Score: 2, Funny

    It's those darn Al-Quaeda, I tell you! Them and Saddam Hussein! Damn them for retaliating against our Righteous Attacks!

  6. Such floods can be easily stopped. by Krapangor · · Score: 2, Funny

    The only problem is that most of responsible people are computer scientists and sometimes even only with a BS in CS and therefore have no clue of harmonic analysis and advanced probability theory.
    If you project your network system in the C^n- space of markovian probability measures and with to the frequency domain, you can easily see that our system represents a compact manifold of superharmonic measures. And malign overflow is just a upper bound in this set, therefore harmonic. It's well known that the only harmonic functions on compact manifolds are constant. So going back into the time domain this means that you must just analyze the frequency of the packets. All packet streams with a constant frequency are malicious by the above calculation and therefore should be dropped. Of course there are some minor points with the frequency reflection on edges etc. but this is very basic stuff and can be easily solved.
    If think there was a paper of Lorgajev and Starniktov in the 80ies about this, but I'm not really sure.

    --
    Owner of a Mensa membership card.
  7. Re:Whoever puts their database server by cyb97 · · Score: 5, Funny

    Are these the same people that leave their cars unlocked with the keys in the ignition?
    A real idiot would leave the car locked witht the keys in the ignition...
    I guess they learn something at MSCE courses ;-)

  8. Yow! Good call /. by JasonUCF · · Score: 5, Funny

    I groggily stumble up to my computer, it being a normal enough sort of Saturday AM, and as I sit down I cast a lazy eye at my firewall counter.

    Woah! What's.. uh.. 150 inbound requests.. doing.. today.. worm?

    I start to fire up /. -- a lengthy process due to my dumbass ISP not having reverse DNS entries -- so I sniff around my logs.

    *clickity click*

    1434? The hell is 1434. Worm?

    *slashdot shows*

    Ah ha! Ve haf comprehension.

    *groggily shuffle off to get coffee, oooo black gold*

    For what it's worth, a majority of the packets so far have been mostly US servers -- .edu's with cute names like 'staging3', 'testing1', and, no joke, 'snoogans'.

  9. Fox News by avalys · · Score: 5, Funny

    Heh...on the Fox News Channel's ticker, they had the following tidbit of information:

    "The virus spreads using a Microsoft vulnerability known as "SQL Server""

    --
    This space intentionally left blank.
    1. Re:Fox News by Kashif+Shaikh · · Score: 4, Funny

      Heh...on the Fox News Channel's ticker, they had the following tidbit of information:

      Well, on CNN's headline newsticker they have:

      "[Microsoft][ODBC SQL Server Driver]Operation canceled

      [Microsoft][ODBC SQL Server Driver]Timeout expired

      ODBC: Msg 0, Level 16, State 1

      Communication link failure

      Connection Broken"

  10. Re:Yow! Good call /. by caluml · · Score: 5, Funny

    This one has surprised me most so far:
    tybclbsqla02.listbuilder.com

    Hmm. Lists equal large databases.
    Large databases usually mean a DBA.
    DBAs should know better.

    whois listbuilder.com

    Technical Contact:
    Microsoft (EJSEHEQUAO)
    msnhst@MICROSOFT.COM
    Microsoft
    One Microsoft Way
    Redmond, WA 98052
    US
    425-882-8080

    --
    Get your own free personal location tracker
  11. The whole Internet has been Slashdotted by Runny · · Score: 2, Funny

    This is what would happen if /. ever became a search engine.

  12. Re:been watching this all night by Anonymous Coward · · Score: 2, Funny
    You have been watching this all night?

    Man that is sad.

    I have been banging hot chicks all night. Gimme yer phone # and I will hook ya up with some of my hot and slutty ho's.

  13. totally deserved... by smash · · Score: 2, Funny
    Anybody who puts an SQL server of any kind out in the open, let alone one with such a colourful security history as MS-SQL server, deserves whatever they get.

    I'm not justifying behavior of the assholes who release these worms, but leaving the SQL server visible to the public internet is just slightly retarded.

    If these boxes actually have someone employed as admins, they should get fired, plain and simple

    smash.

    --
    I run: Windows, OS X, Linux, FreeBSD. Just because you have a hammer, doesn't mean everything is a nail.
  14. Re:wow yeah! by dangermouse · · Score: 5, Funny
    and what better time then on a Saturday morning when all admins are away and not planing to work the next day

    What's it matter? It's not like you people have gone to work since last July anyway.

  15. billg has no uniform; therefore illegal combatant by Swordfish · · Score: 5, Funny

    billg cannot be an enemy combatant because he
    does not wear a military uniform.
    So he must be an _illegal_ combatant.
    Therefore, if guilty, he will have to go to
    Guantanamo Bay for a few years to "help with
    investigations".
    Of course, proof cannot be given for his guilt
    because that might jeopardize national security.
    Therefore no trial until terrorism is defeated.
    Can't afford to take chances with them terrorists!

  16. Re:What's the DNS connection? by Gothmolly · · Score: 3, Funny

    Because some of the roots are on very clogged backbones. Welcome to the Internet. What don't you understand today?

    --
    I want to delete my account but Slashdot doesn't allow it.
  17. Re:As I said in a previous post... by Anonymous Coward · · Score: 1, Funny

    If there is an ISP with billions and billions of servers

    Ok Carl Sagan, I think you may be exaggerating here.

  18. Re:been watching this all night by Graspee_Leemoor · · Score: 4, Funny

    " been watching this all night...
    the fun's almost over now"

    I sincerely thank you, Sir or Madam. I previously thought that I was the most sad, laughable figure in the entire world, but now, having read your post, which conjures up images of someone sitting in front of their monitor, snacks in hand, gasping in amazement at the output of tail -f on their firewall log all night, I know that there is yet hope for me.

    graspee

  19. Re:Patch by Anonymous Coward · · Score: 5, Funny

    I found it amusing that the two current headlines on the front page under the technology section at CNN are:

    Gates pledges better software security
    Electronic attack slows Net

    Now if they would only address security before they released their products we might not see these issues.

  20. Re:As I said in a previous post... by DarkZero · · Score: 5, Funny

    Imagine if we didn't have firewalls. We'd have to keep our passwords good, our services minimal, and make sure we were running the latest, most secure daemons.

    Locks promote softer security.

    "Oh, I'm OK because I have locked doors and windows..."

    I think door locks make people lazy. Imagine if we didn't have deadbolts, or doors for that matter. We'd have to sit in front of the front door, with a shotgun, never sleeping for more than a few moments.

  21. Re:Terrorism, must be by hardcode · · Score: 4, Funny

    In South Korea internet services were shut down nationwide for hours on Saturday, the country's Yonhap news agency reported.

    And every email admin in the western world heaved a sigh of relief

  22. Slightly ironic . . . by aaronhurd · · Score: 3, Funny

    I guess even Gates saw this coming. ;-)

    "New security risks have emerged on a scale that few in our industry fully anticipated," Gates wrote in a 1,500-word e-mail distributed late Thursday to about 1 million people. (Full article at CNN.com)

    DOH!

  23. Re:Why would anyone use anything else? by John+Hasler · · Score: 2, Funny

    And today we are seeing the one thing at which Microsoft products really kick ass...

    --
    Warning: this article may contain humor, sarcasm, parody, and perhaps even irony. Read at your own risk.
  24. Re:As I said in a previous post... by Dr.+Photo · · Score: 2, Funny
    Sounds like you're advocating armadillo security to me - hard on the outside, soft on the inside.

    Mm... sounds like them's good eatin'! :D

  25. DDOS to some, maintenance window to others by packnet · · Score: 2, Funny

    We were joking, but while the barrage of UDP traffic taxed our front-end, we figured it might a great time to take systems down for maintenance - WTF, we were up, nobody could hit our site, no explanation to management!

    "Our site was down"

    "It was the worm, sir."

    "I like the new layout. Did the worm do that?"

    "Uh... yes?"

  26. Re:Yow! Good call /. by DarkZero · · Score: 2, Funny

    My funniest, I shit you not, is "isecureserver.smsu.edu". Apparently some "I" at Southwest Missouri State University did not secure their server as well as they thought. At first I actually wondered if it was a practical joke.

  27. What's in a name? by bobdotorg · · Score: 2, Funny

    SQL Slammer? A worm virus? Sounds more like a shooter at Hooters on geek night.

    --
    __ Someday, but not this morning, I'll finally learn to use the preview button.
  28. Funny, Internet designed to survive nuke attack... by sunking7 · · Score: 2, Funny

    ... but it can't survive Microsoft's software

    Does that mean that Redmond is in possession of somehthing *worse* than WOMD???

    We demand IMMEDIATE soure code inspections!!!

    Or there will be severe consequences.

    someone want to start a petition?

    --
    "a powerful and unexpected ally..."
  29. The White House commented on this today by Aexia · · Score: 1, Funny

    "Network security is a important front in our war on terrorism.

    "That's why Saddam Hussein is a menace that must be stopped with all due force."

  30. Re:Terrorism, must be by JebusIsLord · · Score: 3, Funny

    What starcraft/diablo players exactly? They said Korea was down for chrissake!

    --
    Jeremy